Edit tour

Linux Analysis Report
uYtea.arm.elf

Overview

General Information

Sample name:	uYtea.arm.elf
Analysis ID:	1586057
MD5:	2a803a7b7c48b7530c6a53c6dfe718a1
SHA1:	dd3a35733efa7175deda0dba429ed6be44254926
SHA256:	dc9049c50bf6f72a3fb1d6c39f2e3880a05c6f2335b64fd69ef635c541ed2d56
Tags:	user-elfdigest
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

Sample has stripped symbol table

Sample listens on a socket

Uses the "uname" system call to query kernel version information (possible evasion)

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586057
Start date and time:	2025-01-08 17:06:02 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	uYtea.arm.elf
Detection:	MAL
Classification:	mal64.linELF@0/0@0/0

Warnings

VT rate limit hit for: uYtea.arm.elf

Runtime Messages

Command:	/tmp/uYtea.arm.elf
PID:	5511
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	connecterror
Standard Error:

Process Tree

system is lnxubuntu20

uYtea.arm.elf (PID: 5511, Parent: 5429, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/uYtea.arm.elf

uYtea.arm.elf New Fork (PID: 5513, Parent: 5511)

uYtea.arm.elf New Fork (PID: 5515, Parent: 5513)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
uYtea.arm.elf	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xc4b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc4c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc4dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc4f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc52c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc540:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc554:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc568:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc57c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc590:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc608:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc61c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc630:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc644:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Memory Dumps

Source	Rule	Description	Author	Strings
5511.1.00007f95a4017000.00007f95a4026000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xc4b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc4c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc4dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc4f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc52c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc540:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc554:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc568:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc57c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc590:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc608:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc61c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc630:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc644:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
5515.1.00007f95a4017000.00007f95a4026000.r-x.sdmp	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xc4b4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc4c8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc4dc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc4f0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc504:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc518:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc52c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc540:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc554:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc568:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc57c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc590:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5a4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5b8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5cc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5e0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc5f4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc608:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc61c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc630:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xc644:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: uYtea.arm.elf PID: 5511	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0xf085:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf099:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf0ad:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf0c1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf0d5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf0e9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf0fd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf111:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf125:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf139:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf14d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf161:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf175:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf189:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf19d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf1b1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf1c5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf1d9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf1ed:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf201:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0xf215:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
Process Memory Space: uYtea.arm.elf PID: 5515	Linux_Trojan_Gafgyt_28a2fe0c	unknown	unknown	0x3eb1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ec5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ed9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3eed:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f01:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f15:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f29:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f3d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f51:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f65:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f79:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3f8d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3fa1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3fb5:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3fc9:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3fdd:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x3ff1:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4005:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4019:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x402d:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F 0x4041:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: uYtea.arm.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: uYtea.arm.elf

ReversingLabs: Detection: 65%

Source: global traffic

TCP traffic: 192.168.2.15:35654 -> 141.98.10.115:1302

Source: /tmp/uYtea.arm.elf (PID: 5511)

Socket: 127.0.0.1:9473

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: uYtea.arm.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5511.1.00007f95a4017000.00007f95a4026000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5515.1.00007f95a4017000.00007f95a4026000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: uYtea.arm.elf PID: 5511, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: uYtea.arm.elf PID: 5515, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown

Source: ELF static info symbol of initial sample

.symtab present: no

Source: uYtea.arm.elf, type: SAMPLE	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5511.1.00007f95a4017000.00007f95a4026000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5515.1.00007f95a4017000.00007f95a4026000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: uYtea.arm.elf PID: 5511, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: uYtea.arm.elf PID: 5515, type: MEMORYSTR	Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16

Source: classification engine

Classification label: mal64.linELF@0/0@0/0

Source: /tmp/uYtea.arm.elf (PID: 5513)	Directory: /tmp/.			Jump to behavior
Source: /tmp/uYtea.arm.elf (PID: 5513)	Directory: /tmp/..			Jump to behavior

Source: /tmp/uYtea.arm.elf (PID: 5511)

Queries kernel information via 'uname':

Jump to behavior

Source: uYtea.arm.elf, 5511.1.000055971abb8000.000055971ace6000.rw-.sdmp, uYtea.arm.elf, 5515.1.000055971abb8000.000055971ace6000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: uYtea.arm.elf, 5511.1.000055971abb8000.000055971ace6000.rw-.sdmp, uYtea.arm.elf, 5515.1.000055971abb8000.000055971ace6000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: uYtea.arm.elf, 5511.1.00007fff0889e000.00007fff088bf000.rw-.sdmp, uYtea.arm.elf, 5515.1.00007fff0889e000.00007fff088bf000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: uYtea.arm.elf, 5511.1.00007fff0889e000.00007fff088bf000.rw-.sdmp, uYtea.arm.elf, 5515.1.00007fff0889e000.00007fff088bf000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/uYtea.arm.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/uYtea.arm.elf

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Hidden Files and Directories	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
uYtea.arm.elf	66%	ReversingLabs	Linux.Trojan.Mirai
uYtea.arm.elf	100%	Avira	EXP/ELF.Mirai.Z.D

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
141.98.10.115	unknown	Lithuania		209605	HOSTBALTICLT	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
141.98.10.115	uYtea.mips.elf	Get hash	malicious	Unknown	Browse
	uYtea.mpsl.elf	Get hash	malicious	Unknown	Browse
	uYtea.arm7.elf	Get hash	malicious	Mirai	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTBALTICLT	uYtea.mips.elf	Get hash	malicious	Unknown	Browse	141.98.10.115
	uYtea.mpsl.elf	Get hash	malicious	Unknown	Browse	141.98.10.115
	uYtea.arm7.elf	Get hash	malicious	Mirai	Browse	141.98.10.115
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	141.98.10.88
	Scan12112024,pdf.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	141.98.10.88
	Scan112024.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	141.98.10.88
	173127133603e75602cf90c03b229cc07ec4f5c026cad2909c809b767b293bf800a0e9ade9674.dat-decoded.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	141.98.10.88
	ConfirmaciXnXdeXfacturaXPedidoXadicional.doc	Get hash	malicious	Unknown	Browse	141.98.10.88
	DOC11042024.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	141.98.10.40
	Contract #U2116 KB #U2013 08152024 - 1.pif.exe	Get hash	malicious	RedLine	Browse	141.98.10.33

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	6.15481879326701
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	uYtea.arm.elf
File size:	60'760 bytes
MD5:	2a803a7b7c48b7530c6a53c6dfe718a1
SHA1:	dd3a35733efa7175deda0dba429ed6be44254926
SHA256:	dc9049c50bf6f72a3fb1d6c39f2e3880a05c6f2335b64fd69ef635c541ed2d56
SHA512:	9e7748953d6e93e1924fe24f6f44e67f24f43e801aae0ee6e4419d4ca50435acbfdfd5a0aaa3e8c470c9a47661746d290c721dbb4de803b5f602f1db10d024c8
SSDEEP:	768:lP6aHMzAR6hM2uQBTPpdxnlILKU0vVONyRgGhd2G4NMiplImpcvwJZY10UPZvBqJ:0aHuAzgjjfUKU0NONyRgG+7XtJa10oB
TLSH:	F8533A51B8819613C5D4137BF6BE428D3B2523E8E2DF3217AD222F413BCA82F1D67A45
File Content Preview:	.ELF...a..........(.........4...........4. ...(.....................@...@...............D...D...D...D...0J..........Q.td..................................-...L."....0..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x202
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	60360
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0xc3f0	0x0	0x6	AX	16
.fini	PROGBITS	0x144a0	0xc4a0	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x144b4	0xc4b4	0x1f8c	0x0	0x2	A	4
.ctors	PROGBITS	0x1e444	0xe444	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x1e44c	0xe44c	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x1e458	0xe458	0x730	0x0	0x3	WA	4
.bss	NOBITS	0x1eb88	0xeb88	0x42ec	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0xeb88	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0xe440	0xe440	6.1780	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0xe444	0x1e444	0x1e444	0x744	0x4a30	4.3124	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 17:06:52.207103968 CET	35654	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:06:52.211961031 CET	1302	35654	141.98.10.115	192.168.2.15
Jan 8, 2025 17:06:52.212040901 CET	35654	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:06:52.213092089 CET	35654	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:06:52.217916965 CET	1302	35654	141.98.10.115	192.168.2.15
Jan 8, 2025 17:06:52.217978001 CET	35654	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:06:52.222762108 CET	1302	35654	141.98.10.115	192.168.2.15
Jan 8, 2025 17:06:53.946842909 CET	1302	35654	141.98.10.115	192.168.2.15
Jan 8, 2025 17:06:53.947139978 CET	35654	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:06:53.951886892 CET	1302	35654	141.98.10.115	192.168.2.15
Jan 8, 2025 17:06:54.949219942 CET	35656	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:06:54.954022884 CET	1302	35656	141.98.10.115	192.168.2.15
Jan 8, 2025 17:06:54.954127073 CET	35656	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:06:54.954876900 CET	35656	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:06:54.959655046 CET	1302	35656	141.98.10.115	192.168.2.15
Jan 8, 2025 17:06:54.959708929 CET	35656	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:06:54.964452028 CET	1302	35656	141.98.10.115	192.168.2.15
Jan 8, 2025 17:06:56.658013105 CET	1302	35656	141.98.10.115	192.168.2.15
Jan 8, 2025 17:06:56.658231020 CET	35656	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:06:56.663079977 CET	1302	35656	141.98.10.115	192.168.2.15
Jan 8, 2025 17:06:57.659729958 CET	35658	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:06:57.664668083 CET	1302	35658	141.98.10.115	192.168.2.15
Jan 8, 2025 17:06:57.664752960 CET	35658	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:06:57.665507078 CET	35658	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:06:57.670330048 CET	1302	35658	141.98.10.115	192.168.2.15
Jan 8, 2025 17:06:57.670397997 CET	35658	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:06:57.675194979 CET	1302	35658	141.98.10.115	192.168.2.15
Jan 8, 2025 17:06:59.392729044 CET	1302	35658	141.98.10.115	192.168.2.15
Jan 8, 2025 17:06:59.392930031 CET	35658	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:06:59.401746988 CET	1302	35658	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:00.394562960 CET	35660	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:00.399398088 CET	1302	35660	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:00.399466038 CET	35660	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:00.400171041 CET	35660	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:00.404917002 CET	1302	35660	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:00.404963970 CET	35660	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:00.409734011 CET	1302	35660	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:02.090531111 CET	1302	35660	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:02.090780020 CET	35660	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:02.095586061 CET	1302	35660	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:03.092499971 CET	35662	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:03.097471952 CET	1302	35662	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:03.097546101 CET	35662	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:03.098350048 CET	35662	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:03.103144884 CET	1302	35662	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:03.103190899 CET	35662	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:03.108005047 CET	1302	35662	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:04.809798956 CET	1302	35662	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:04.809993982 CET	35662	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:04.814807892 CET	1302	35662	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:05.811633110 CET	35664	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:05.816418886 CET	1302	35664	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:05.816479921 CET	35664	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:05.817095995 CET	35664	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:05.821913004 CET	1302	35664	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:05.821958065 CET	35664	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:05.826708078 CET	1302	35664	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:07.542948008 CET	1302	35664	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:07.543186903 CET	35664	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:07.543205976 CET	35664	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:07.547955990 CET	1302	35664	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:08.545000076 CET	35666	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:08.549958944 CET	1302	35666	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:08.550019026 CET	35666	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:08.550647974 CET	35666	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:08.555653095 CET	1302	35666	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:08.555695057 CET	35666	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:08.560455084 CET	1302	35666	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:10.261425018 CET	1302	35666	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:10.261583090 CET	35666	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:10.266381025 CET	1302	35666	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:11.263160944 CET	35668	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:11.267935991 CET	1302	35668	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:11.267987967 CET	35668	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:11.268824100 CET	35668	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:11.273623943 CET	1302	35668	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:11.273660898 CET	35668	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:11.278389931 CET	1302	35668	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:12.963043928 CET	1302	35668	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:12.963331938 CET	35668	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:12.968110085 CET	1302	35668	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:13.965507984 CET	35670	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:13.970408916 CET	1302	35670	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:13.970523119 CET	35670	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:13.971329927 CET	35670	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:13.976161003 CET	1302	35670	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:13.976248026 CET	35670	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:13.981018066 CET	1302	35670	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:15.666754961 CET	1302	35670	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:15.667009115 CET	35670	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:15.667010069 CET	35670	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:15.671813965 CET	1302	35670	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:16.668718100 CET	35672	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:16.673496008 CET	1302	35672	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:16.673577070 CET	35672	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:16.674288988 CET	35672	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:16.679048061 CET	1302	35672	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:16.679121971 CET	35672	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:16.683852911 CET	1302	35672	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:18.370882988 CET	1302	35672	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:18.371010065 CET	35672	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:18.375807047 CET	1302	35672	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:19.372530937 CET	35674	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:19.377346039 CET	1302	35674	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:19.377413988 CET	35674	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:19.378040075 CET	35674	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:19.382846117 CET	1302	35674	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:19.382888079 CET	35674	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:19.387689114 CET	1302	35674	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:21.077554941 CET	1302	35674	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:21.077824116 CET	35674	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:21.082590103 CET	1302	35674	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:22.079288960 CET	35676	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:22.084100008 CET	1302	35676	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:22.084163904 CET	35676	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:22.084666014 CET	35676	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:22.089430094 CET	1302	35676	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:22.089478970 CET	35676	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:22.094321966 CET	1302	35676	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:23.779557943 CET	1302	35676	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:23.779725075 CET	35676	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:23.784569979 CET	1302	35676	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:24.781050920 CET	35678	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:24.785830975 CET	1302	35678	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:24.785898924 CET	35678	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:24.786463022 CET	35678	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:24.791217089 CET	1302	35678	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:24.791263103 CET	35678	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:24.796029091 CET	1302	35678	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:26.499388933 CET	1302	35678	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:26.499588966 CET	35678	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:26.505100012 CET	1302	35678	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:27.501337051 CET	35680	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:27.506109953 CET	1302	35680	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:27.506167889 CET	35680	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:27.506784916 CET	35680	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:27.511509895 CET	1302	35680	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:27.511599064 CET	35680	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:27.516334057 CET	1302	35680	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:29.343734026 CET	1302	35680	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:29.344177008 CET	35680	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:29.349024057 CET	1302	35680	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:30.345967054 CET	35682	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:30.350824118 CET	1302	35682	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:30.350910902 CET	35682	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:30.351511002 CET	35682	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:30.356250048 CET	1302	35682	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:30.356302023 CET	35682	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:30.361057043 CET	1302	35682	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:32.089180946 CET	1302	35682	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:32.089432955 CET	35682	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:32.094249010 CET	1302	35682	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:33.091403961 CET	35684	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:33.096210003 CET	1302	35684	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:33.096324921 CET	35684	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:33.097197056 CET	35684	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:33.101953983 CET	1302	35684	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:33.102083921 CET	35684	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:33.106834888 CET	1302	35684	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:34.792443991 CET	1302	35684	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:34.792701960 CET	35684	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:34.797602892 CET	1302	35684	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:35.794538021 CET	35686	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:35.799310923 CET	1302	35686	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:35.799386024 CET	35686	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:35.800122976 CET	35686	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:35.804851055 CET	1302	35686	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:35.804920912 CET	35686	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:35.809664011 CET	1302	35686	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:37.479618073 CET	1302	35686	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:37.479814053 CET	35686	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:37.484621048 CET	1302	35686	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:38.481497049 CET	35688	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:38.486459017 CET	1302	35688	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:38.486576080 CET	35688	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:38.487504005 CET	35688	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:38.492374897 CET	1302	35688	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:38.492429972 CET	35688	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:38.497584105 CET	1302	35688	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:40.203061104 CET	1302	35688	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:40.203366995 CET	35688	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:40.208136082 CET	1302	35688	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:41.205410004 CET	35690	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:41.210184097 CET	1302	35690	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:41.210303068 CET	35690	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:41.211360931 CET	35690	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:41.216159105 CET	1302	35690	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:41.216226101 CET	35690	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:41.220992088 CET	1302	35690	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:42.905154943 CET	1302	35690	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:42.905505896 CET	35690	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:42.910269022 CET	1302	35690	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:43.907944918 CET	35692	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:43.912769079 CET	1302	35692	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:43.912867069 CET	35692	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:43.913800955 CET	35692	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:43.918524027 CET	1302	35692	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:43.918579102 CET	35692	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:43.923304081 CET	1302	35692	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:45.640125036 CET	1302	35692	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:45.640261889 CET	35692	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:45.645066023 CET	1302	35692	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:46.642543077 CET	35694	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:46.647357941 CET	1302	35694	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:46.647452116 CET	35694	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:46.648464918 CET	35694	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:46.653249979 CET	1302	35694	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:46.653307915 CET	35694	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:46.658102036 CET	1302	35694	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:48.354923010 CET	1302	35694	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:48.355155945 CET	35694	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:48.359971046 CET	1302	35694	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:49.357069016 CET	35696	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:49.361849070 CET	1302	35696	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:49.361938000 CET	35696	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:49.362586021 CET	35696	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:49.367330074 CET	1302	35696	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:49.367393017 CET	35696	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:49.372137070 CET	1302	35696	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:51.061919928 CET	1302	35696	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:51.062269926 CET	35696	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:51.067032099 CET	1302	35696	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:52.064116955 CET	35698	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:52.068962097 CET	1302	35698	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:52.069026947 CET	35698	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:52.069909096 CET	35698	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:52.074718952 CET	1302	35698	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:52.074764013 CET	35698	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:52.079555988 CET	1302	35698	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:53.762141943 CET	1302	35698	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:53.762506008 CET	35698	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:53.767309904 CET	1302	35698	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:54.764712095 CET	35700	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:54.769604921 CET	1302	35700	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:54.769730091 CET	35700	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:54.771238089 CET	35700	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:54.776036024 CET	1302	35700	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:54.776108027 CET	35700	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:54.780849934 CET	1302	35700	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:56.464389086 CET	1302	35700	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:56.464597940 CET	35700	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:56.469449043 CET	1302	35700	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:57.466263056 CET	35702	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:57.471085072 CET	1302	35702	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:57.471162081 CET	35702	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:57.471959114 CET	35702	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:57.476778030 CET	1302	35702	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:57.476836920 CET	35702	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:57.481601000 CET	1302	35702	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:59.170500994 CET	1302	35702	141.98.10.115	192.168.2.15
Jan 8, 2025 17:07:59.170648098 CET	35702	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:07:59.175406933 CET	1302	35702	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:00.172189951 CET	35704	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:00.176970005 CET	1302	35704	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:00.177037954 CET	35704	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:00.177617073 CET	35704	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:00.182347059 CET	1302	35704	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:00.182394028 CET	35704	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:00.187191010 CET	1302	35704	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:01.870904922 CET	1302	35704	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:01.871203899 CET	35704	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:01.875978947 CET	1302	35704	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:02.872541904 CET	35706	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:02.877366066 CET	1302	35706	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:02.877425909 CET	35706	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:02.877954006 CET	35706	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:02.882704973 CET	1302	35706	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:02.882749081 CET	35706	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:02.887554884 CET	1302	35706	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:04.594230890 CET	1302	35706	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:04.594372988 CET	35706	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:04.599157095 CET	1302	35706	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:05.595715046 CET	35708	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:05.600708961 CET	1302	35708	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:05.600765944 CET	35708	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:05.601339102 CET	35708	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:05.606204033 CET	1302	35708	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:05.606249094 CET	35708	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:05.611145973 CET	1302	35708	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:07.296499014 CET	1302	35708	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:07.296634912 CET	35708	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:07.301445961 CET	1302	35708	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:08.298015118 CET	35710	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:08.302833080 CET	1302	35710	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:08.302902937 CET	35710	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:08.303523064 CET	35710	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:08.308317900 CET	1302	35710	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:08.308367014 CET	35710	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:08.313102961 CET	1302	35710	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:10.000720024 CET	1302	35710	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:10.000874996 CET	35710	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:10.005640984 CET	1302	35710	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:11.002573967 CET	35712	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:11.007714033 CET	1302	35712	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:11.007790089 CET	35712	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:11.008749962 CET	35712	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:11.013525009 CET	1302	35712	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:11.013571978 CET	35712	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:11.018357992 CET	1302	35712	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:12.731308937 CET	1302	35712	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:12.731679916 CET	35712	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:12.736465931 CET	1302	35712	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:13.733537912 CET	35714	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:13.738394022 CET	1302	35714	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:13.738507032 CET	35714	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:13.739301920 CET	35714	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:13.744054079 CET	1302	35714	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:13.744101048 CET	35714	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:13.748845100 CET	1302	35714	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:15.434643984 CET	1302	35714	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:15.434824944 CET	35714	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:15.439574003 CET	1302	35714	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:16.436340094 CET	35716	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:16.441219091 CET	1302	35716	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:16.441287041 CET	35716	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:16.441987038 CET	35716	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:16.446813107 CET	1302	35716	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:16.446866035 CET	35716	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:16.451611042 CET	1302	35716	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:18.140953064 CET	1302	35716	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:18.141099930 CET	35716	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:18.148525953 CET	1302	35716	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:19.142509937 CET	35718	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:19.147355080 CET	1302	35718	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:19.147422075 CET	35718	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:19.147973061 CET	35718	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:19.152738094 CET	1302	35718	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:19.152787924 CET	35718	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:19.157514095 CET	1302	35718	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:20.874100924 CET	1302	35718	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:20.874202013 CET	35718	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:20.879034996 CET	1302	35718	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:21.875801086 CET	35720	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:21.880615950 CET	1302	35720	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:21.880682945 CET	35720	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:21.881243944 CET	35720	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:21.886023998 CET	1302	35720	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:21.886073112 CET	35720	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:21.890774965 CET	1302	35720	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:23.589670897 CET	1302	35720	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:23.589864969 CET	35720	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:23.594669104 CET	1302	35720	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:24.591514111 CET	35722	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:24.596539974 CET	1302	35722	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:24.596633911 CET	35722	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:24.597332954 CET	35722	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:24.602106094 CET	1302	35722	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:24.602169037 CET	35722	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:24.606914997 CET	1302	35722	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:26.278531075 CET	1302	35722	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:26.278745890 CET	35722	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:26.283509970 CET	1302	35722	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:27.280278921 CET	35724	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:27.285121918 CET	1302	35724	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:27.285191059 CET	35724	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:27.285849094 CET	35724	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:27.290604115 CET	1302	35724	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:27.290648937 CET	35724	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:27.295402050 CET	1302	35724	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:28.997159004 CET	1302	35724	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:28.997400045 CET	35724	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:29.002201080 CET	1302	35724	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:29.999500990 CET	35726	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:30.004899025 CET	1302	35726	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:30.004981995 CET	35726	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:30.005721092 CET	35726	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:30.010539055 CET	1302	35726	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:30.010586023 CET	35726	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:30.015325069 CET	1302	35726	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:31.717572927 CET	1302	35726	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:31.717837095 CET	35726	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:31.722647905 CET	1302	35726	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:32.719299078 CET	35728	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:32.724108934 CET	1302	35728	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:32.724194050 CET	35728	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:32.724936962 CET	35728	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:32.729784012 CET	1302	35728	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:32.729857922 CET	35728	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:32.734622002 CET	1302	35728	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:34.420887947 CET	1302	35728	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:34.421051025 CET	35728	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:34.425839901 CET	1302	35728	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:35.422763109 CET	35730	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:35.427556992 CET	1302	35730	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:35.427613974 CET	35730	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:35.428534985 CET	35730	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:35.433295965 CET	1302	35730	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:35.433343887 CET	35730	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:35.438141108 CET	1302	35730	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:37.131916046 CET	1302	35730	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:37.132370949 CET	35730	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:37.137187958 CET	1302	35730	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:38.134560108 CET	35732	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:38.139417887 CET	1302	35732	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:38.139514923 CET	35732	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:38.140530109 CET	35732	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:38.145261049 CET	1302	35732	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:38.145306110 CET	35732	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:38.150063992 CET	1302	35732	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:39.904963017 CET	1302	35732	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:39.905244112 CET	35732	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:39.910046101 CET	1302	35732	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:40.907417059 CET	35734	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:40.912269115 CET	1302	35734	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:40.912363052 CET	35734	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:40.913336039 CET	35734	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:40.918081045 CET	1302	35734	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:40.918140888 CET	35734	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:40.922916889 CET	1302	35734	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:42.732475042 CET	1302	35734	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:42.732695103 CET	35734	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:42.737544060 CET	1302	35734	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:43.734437943 CET	35736	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:43.739749908 CET	1302	35736	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:43.739820004 CET	35736	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:43.740387917 CET	35736	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:43.745559931 CET	1302	35736	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:43.745606899 CET	35736	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:43.751121044 CET	1302	35736	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:45.573111057 CET	1302	35736	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:45.573431969 CET	35736	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:45.578257084 CET	1302	35736	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:46.575083017 CET	35738	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:46.579885960 CET	1302	35738	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:46.579977989 CET	35738	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:46.580765963 CET	35738	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:46.585668087 CET	1302	35738	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:46.585717916 CET	35738	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:46.590538025 CET	1302	35738	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:48.281096935 CET	1302	35738	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:48.281441927 CET	35738	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:48.286189079 CET	1302	35738	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:49.282872915 CET	35740	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:49.287646055 CET	1302	35740	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:49.287705898 CET	35740	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:49.288350105 CET	35740	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:49.293078899 CET	1302	35740	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:49.293123007 CET	35740	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:49.297899008 CET	1302	35740	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:51.013292074 CET	1302	35740	141.98.10.115	192.168.2.15
Jan 8, 2025 17:08:51.013420105 CET	35740	1302	192.168.2.15	141.98.10.115
Jan 8, 2025 17:08:51.018179893 CET	1302	35740	141.98.10.115	192.168.2.15

System Behavior

Analysis Process: uYtea.arm.elf PID: 5511, Parent PID: 5429

General

Start time (UTC):	16:06:45
Start date (UTC):	08/01/2025
Path:	/tmp/uYtea.arm.elf
Arguments:	/tmp/uYtea.arm.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: uYtea.arm.elf PID: 5513, Parent PID: 5511

General

Start time (UTC):	16:06:45
Start date (UTC):	08/01/2025
Path:	/tmp/uYtea.arm.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: uYtea.arm.elf PID: 5515, Parent PID: 5513

General

Start time (UTC):	16:06:45
Start date (UTC):	08/01/2025
Path:	/tmp/uYtea.arm.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report uYtea.arm.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: uYtea.arm.elf PID: 5511, Parent PID: 5429

General

Chronological Activities

Analysis Process: uYtea.arm.elf PID: 5513, Parent PID: 5511

General

Chronological Activities

Analysis Process: uYtea.arm.elf PID: 5515, Parent PID: 5513

General

Chronological Activities

Linux Analysis Report
uYtea.arm.elf